2/13/2014. What is Tamper Resistance? IBM s Attacker Categories. Protection Levels. Classification Of Physical Attacks.

Transcription

1 What is Tamper Resistance? Physical and Tamper Resistance Mohammad Tehranipoor Updated/Modified by Siavash Bayat Sarmadi Resistance to tampering the device by either normal users or systems or others with physical access to it It ranges from simple features like screws with special heads to complex devices which can zeroize the content in it or encrypt the information 13 February February IBM s Attacker Categories Protection Levels Class I (clever outsiders) Clever but have insufficient knowledge of the system and equipment Class II (knowledgeable insiders) Generally have access sophisticated equipment and tools Class III (funded organizations) They are funded by big organizations and have access all kind of resources LEVEL ZERO No special security features. All of the parts of the device are free to access. LEVEL LOW Some security features are used. It can be broken less than $500 of equipment. LEVEL MODL Secure against most of the low cost attacks. Attackers need to have more expensive tools and special knowledge. 13 February February Protection Levels Classification Of Physical Level MOD Special tools and equipment are required as well as special skills and knowledge. Equipment cost my range from $5000 to $50000 Level MODH Special design is considered for secure device. Equipment cost to attack ranges from $50000 to $200,000 Level HIGH It is resilient against all known attacks. Micropr obing Invasive Revers e Engine ering Non- Invasive Sidechannel Brute Force Fault Injection Physical Data Reminance UV Optical Fault Injection Semiinvasive Advanced imaging Techniques Optical Sidechannel 13 February February

2 Non-Invasive Non-Invasive Do not require decapsulation of the device, so it is non-destructive Do not require any initial preparation of the device under test. They can be done by tapping on a wire or plugging the device in the test chip. Easley reproducible, so that they are not expensive However, it can take a lot of time to find an attack on an any particular device. Passive Side-Channel Power Analysis Timing Electromagnetic Emission Active Brute Force Glitch Under-voltage and overvoltage attacks Current Analysis e.t 13 February February Invasive Penetrative attacks: expensive to perform require expensive equipment, knowledgeable attackers and time almost unlimited capabilities to extract information from chips and understand their functionality leave tamper evidence of the attack or even destroy the device getting more demanding as the device complexity increases and the size shrinks Tools Invasive IC soldering/desoldering station simple chemical lab and high-resolution optical microscope wire bonding machine, laser cutting system, microprobing station oscilloscope, logic analyser, signal generator scanning electron microscope and focused ion beam workstation 13 February February Semi-Invasive Semi-Invasive Relatively new type of attack, it fills the gap between non-invasive and invasive attacks Similar to the invasive attacks, they requires depackaging of the device But, the attacker do not need to have expensive tools such as FIB. Actually, these attacks are not entirely new since UV light is used to disable security fuses in EPROM for many years UV Light Used to disable security fuses in EPROM and one-time programmable (OTP) microcontrollers Advanced Imaging Techniques IR Light is used to observe the chip from rear side Laser scanning techniques are used for hardware security analysis Optical Fault Injection It is used to induce transient fault in a transistor by illuminating it with laser Optical Side- Channel Analysis Observation of photon emission from the transistor 13 February February

3 Invasive Sample Preparation Sample Preparation Decapsulation Deprocessing Reverse Engineering Optical imaging for layout reconstruction Memory extraction Microprobing Laser cutter FIB workstation Chip Modification It starts with partial or full decapsulation of the chip to expose the chip die Decapsulation is the process of the removal of the chip package It can be done easily by anyone who has high school chemistry knowledge Only need to do some practice on a dozen of chip 13 February February Manual Decapsulation Milling a hole on the Chip Package In this way the acid will affect the only desired area on the chip surface Exposing the chip package to acid Fuming Nitric Acid or mixture of Fuming Nitric Acid and concentrated Sulphuric Acid can be used The acid is applied with a pipette to the hole in the chip, it should be preheated to C Cleaning the chip from the reaction products After second, the chip is sprayed with dry acetone several times Also, ultrasonic bath can be used to clean the chip die surface 13 February Decapsulation can be done from the rear side of the chip Access to the chip die can be established without using any chemical It requires to mill down to the copper plate which can be then removed mechanically

4 Automated Decapsulation For the large quantities, automated decapsulation systems can be used. Very little skill and experience is required to operate it Such systems cost over $15,000 and so that generally relatively large labs buy them Also, they consume ten times more acid than the manual decapsulation, so the disposal of the wastes should be done in proper way Nippon Scientific, PA February The same partial decapsulation can be applied to smart card Not all of them may maintain their electrical integrity Generally, smart cards are decapsulated completely 13 February Sample Preparation Deprocessing is the opposite process of the the chip fabrication It has two main application; Removing passivation layer to expose metal layers for microprobing attack Gaining access to the deep layers to observe internal structure of the chip Three basic deprocessing method are used; Wet chemical etching Plasma etching, also known as dry etching Mechanical polishing Wet Chemical Etching; Deprocessing Each layer is removed by specific chemicals Its downside is its uniformity in all directions Each type of material needs certain etchants to be used Nitrox wet etchant is one of the most effective etching agents for silicon nitride and silicon dioxide passivation layers which selectively removes the passivation layers of integrated circuits while preserving full device functionality. 13 February February Deprocessing Deprocessing Plasma Etching uses radicals created from gas inside a special chamber. only the surfaces hit by the ions are removed Similarly, each type of material needs certain enchant Figure1 Motorola MC68HC705C9A microcontroller. The metal layer is removed exposing the polysilicon and the doping layers. Figure2 Microchip PIC16F76 microcontroller. The top metal layer is removed exposing the second metal layer. Mechanical polishing performed with the use of abrasive materials Time-consuming and requires special machines 13 February

5 Etching Agents for Wet Chemical and Plasma Etching Reverse Engineering Reverse engineering is a technique used for understanding of the structure of the device and its functioning For ASIC, it means locations of all the transistors and interconnections All the layers of the chip are removed one by one in reverse order and photographed to determine the internal structure of the chip Eventually, by processing obtained information, standard netlist can be created and used to simulate the device February Reverse Engineering: Imaging Optical Imaging: For reverse engineering the silicon chips down to 0.18 µm feature size, an optical microscope with a digital camera can be used SEM: For semiconductor chips fabricated with 0.13 µm or smaller technology, images are created using a SEM which has a resolution better than 10 nm. 13 February February 2014 Flylogic.net/blog 28 Reverse Engineering Reverse Engineering: Memory extraction Memory extraction from Mask ROMs only possible for certain type of Mask ROM memory For example; NOR Mask ROM with active layer programming used in Motorola MC68HC705P6A Microcontroller can be read by removing the top metal layer But, same Microcontroller with newer technology requires deprocessing February

6 Reverse Engineering: Memory extraction Invasive : Microprobing Microprobing eavesdropping on signals inside a chip injection of test signals and observing the reaction can be used for extraction of secret keys and memory contents laser cutter can be used to remove passivation and cut metal wires limited use for 0.35µm and smaller chips 13 February February Tools Invasive : Microprobing The most important tool is microprobing station. It consists of five elements a microscope, stage, device test socket, micromanipulators and probe tips. Invasive : Microprobing Microprobing is applied to the internal CPU data bus Difficult to observe whole data bus at a time Two to four probes are used to observe data signals which are combined as a whole data trace later. 13 February February Microprobing: Laser Cutting Microprobing: Laser Cutting It is used to remove passivation layer to observe the metal layer Laser Cutting Systems consist of laser head mounted on camera port of a microscope submicron-precision stage to move the sample Carefully dosed laser flashes remove patches of the passivation layer with micrometer precision 13 February February

7 Microprobing: FIB Workstation The devices fabricated with 0.5 µm or smaller technology needs more sophisticated tools to establish contacts with the interconnect wires FIB stations can be used to create test point, imaging and repairing Also, FIB can mill holes and cut the wires 13 February Invasive : Chip Modification Invasive : Chip Modification It is used to disable security protection circuitry By cutting one of the internal metal interconnection wires by completely destroying the circuit associated with the security protection using a laser cutter For more sophisticated attacks FIB is used connecting the wire that transmits the security state to either the ground or the supply line. Chip modification always requires at least partial reverse engineering of the chip to find the point for possible attack. 13 February February Bus Encryption Countermeasures Top-layer Sensor Meshes ASICs and custom ICs Internal Voltage and Clock Frequency Sensors Light Sensor Countermeasures: Bus Encryption The bus encryption is used to protect the sensitive information from probing. Basically, the memory content is encrypted and then sent to the CPU by data bus Before the data used in CPU, it is decrypted 13 February February

8 Countermeasure: Bus Scrambling Typical probing areas Memory bus drivers Data bus itself where lines are organized in proper CPU bus width Bus order is 99.9% of the time in order (0..7 or 7..0) Countermeasure: Bus Scrambling Data bus scrambling is used to confuse attackers Order of the data bus is changed to make it difficult to observe bus signals 13 February February Bus Scrambling Counterme.: Top-layer Sensor Meshes Additional metallization layers that form a sensor mesh above the actual circuit do not carry any critical signals All the paths in a sensor mesh are continuously monitored for interruptions and short-circuits while power is available It prevents laser cutter or selective etching access to the bus lines. Also, mesh layer hides the lower layer which makes navigation on the chip surface for probing and FIB editing more tedious. 13 February February Counterme.: Top-layer Sensor Meshes Countermeasure: ASICs and Custom ICs Types of ASIC design Glue logic design from VHDL or logic level (Netlist) Fully custom design with security requirements 13 February February

9 Countermeasures: Sensors Different kind of sensors can be used to detect attack attempt Voltage and frequency sensors for glitching attacks Light sensor can be helpful against decapsulation of the device Special purpose sensors can be created to detect probing. Ring oscillator based detector (Probing Attempt Detector) Sensors : Probing Attempt Detector Exploits the fact that probing will change the capacitance in the bus line. Place ring oscillators on the bus lines When the probe touches the one or more bus lines, frequency of the ring oscillator changes PAD observes the bus lines continuously, when they have significant difference, it sets a flag that there is a probing attempt on the one of the lines 13 February February Sensors : Probing Attempt Detector Semi-Invasive Sample Preparation Imaging Perform the Decapsulation Backside imaging techniques UV light attacks Active photon probing Optical Fault injection attacks 13 February February Semi-Invasive : Sample Preparation Decapsulation of the chip to prepare it for attacks. For the modern chips, backside decapsulation is used There is no need to use chemicals Semi-Invasive : Imaging Down to 0.8 µm technology, it was possible to identify all the major elements of microcontrollers ROM, EEPROM, SRAM, CPU Difficult to distinguish for newer technologies Can be observed with infrared light from rear side Backside imaging also is useful to extract the Mask ROM content 13 February February

10 Semi-Invasive : Imaging Semi-Invasive : UV They can be applied any OTP and UV EPROM microcontrollers Divided into two stages Finding the fuse by using imaging techniques resetting it to the unprotected state with a UV light 13 February February UV : Locating the Security Fuses Security fuse Controls access to the information stored in onchip memory They are physically located in the chip die They are the separate memory cells from the main memory array If they are away from the main memory or next to it, the security is not very high as the fuses can be found and disabled. Better protection can be achieved when the security fuses are located on the same memory array UV : Locating the Security Fuses Several methods can be used to locate the security fuses Reverse engineering (expensive) Partial Reverse engineering ( could save time) High voltage used for memory programming, is normally supplied from an external pin and could be traced down to all the EPROM memory cells including the fuses with optical microscope (if technology is down to 0.8 um) Newer technologies requires deprocessing to observe the internal structure of the chip 13 February February UV If fuses are close the main memory, UV light can be used to locate them After, finding the security fuses, five to ten minutes under UV light should give the proper result. Semi-Invasive : Active Photon Probing Laser radiation can ionize an IC s semiconductor regions if its photon energy exceeds the semiconductor band gap In active photon probing, a scanned photon beam interacts with an IC. Laser scanning techniques (LST) One is called optical beam induced current (OBIC) and is applied to an unbiased chip to find the active doped areas on its surface Another is, called light-induced voltage alteration (LIVA), applied to a chip under operation 13 February February

11 Reading the logic state of CMOS transistors Red low power laser beams ionize active areas Power off imaging identifies active areas Power on imaging distinguishes between closed and opened transistor channels Semi-Invasive : Optical Fault injection attacks Illumination of a target transistor causes it to conduct, thereby inducing a transient fault Such attacks Practical Do not require expensive laser equipment Any individual bit of SRAM in microcontroller can be set or reset 13 February February Fault injection attacks: Changing SRAM contents Non-volatile memory contents modification EPROM, EEPROM and Flash memory cells are even more sensitive to fault injection attacks. They can be changed by light This attacks can be used to disable security fuses The light should be focused down to the security fuse These attacks do not work on modern chips built in smaller sizes 13 February February References Semi-invasive attacks A new approach to hardware security analysis, Sergei P. Skorobogatov Physical and Tamper Resistance Sergei Skorobogatov Hardware Engines for Bus Encryption: a Survey of Existing Techniques R. Elbaz, L. Torres, G. Sassatelli, P. Guillemin, C. Anguille and C. Buatois, J. B. Rigaud References Smart Card Handbook, by Wolgang Ranki, Wolfgang Effing Detection of Probing Attempts in Secure ICs, Salvador Manich, Markus S. Wamser and Georg Sigl Wet and Dry Etching Avinash P. Nayak Logeeswaran VJ and M. Saif Islam Security Failures in Secure Devices, Christopher Tarnovsky Black Hat, DC 13 February February